Requirements of BSI basic protection and ISO 27001, identifying security risks
IT security is not only playing an increasingly important role in IT. Not least due to the IT Security Act of the Federal Office for Information Security (BSI), which came into force in 2015, more and more companies from a wide variety of industries are affected and called upon to actively concern themselves with the security of their IT systems. Operators of so-called "critical infrastructure" must therefore maintain a minimum level of IT security and prove it to the BSI.Definition of IT security topics, based on BSI basic protection and ISO 27001
Clarification of the points:
- Information Security Management: Security requirements (Confidentiality, Integrity, Availability) and principles, Information Security Management System (ISMS) according to ISO 27001, Code of Practice for Information Security Management according to ISO 27002, Security roles and governance, Awareness and training, Controls and frameworks (ITIL, COBIT, CSIS), Payment processing according to PCI/DSS
- Risk Management: Risk Management according to ISO 27002 and NIST SP800, Threat Modeling, Assets, Risks, Controls, Risk Assessments and Risk Analysis, Asset Security, Classification of Information and Systems, Inventory Management, Configuration Management Database, IT Asset Management, Ownership, Roles and Responsibilities, Guidelines, Storage and Deletion of Information
- Security Engineering: Secure process models, enterprise security architectures and tire grade models, procurement according to Common Criteria (CC), computers and communication architectures, dangers posed by modern models (cloud, mobile, big data)
- Cryptography: Symmetric and asymmetric algorithms, hashes and digital signatures, certificates, public key infrastructure, certification root sites and registries
- Network communication: OSI reference model and TCP/IP model, network protocols, network devices and perimeters, classic attacks on network stacks, attacks and defense
- Identity management and access controls: Physical access controls, biometric procedures, identification, authentication, authorization, auditing and accountability, directories and access methods, cloud models
- Web applications: OWASP Top 10, hazards, standards, special features of industrial control systems (ICS, CPS, SCADA)
- Secure software development: The most critical errors in software development, software development lifecycle (SDLC), testing, maintenance, interfaces, change management, databases and data modeling, malware, procurement
- They know the basic requirements of BSI basic protection and ISO 27001 and can identify security risks, be it in web applications, in network communication or in access and authorization management, to name just a few examples.
- They know the technical backgrounds and functionalities of the relevant IT security topics.
- You know which tried and tested methods and working techniques can be used to successfully assess and evaluate the security of your IT systems.
Project management experience, basic knowledge of IT security
Project managers in large companies who plan IT security measures and projects and need to understand and assess them according to the criticality of the project. IT managers from small and medium-sized enterprises (SMEs) who have to check and define IT security measures for their company.